HackTool - Impacket Tools Execution

Last updated on:

In this page

About the rule

Rule Type

Standard

Rule Description

Detects execution of various Impacket toolkit Windows binaries based on process names. These binaries are commonly used for man-in-the-middle attacks, credential dumping, and lateral movement via SMB and WMI protocols.

Severity

Trouble

Rule journey

Attack chain scenario

Collection → Credential Access

Impact

Enables adversaries to perform credential relay and theft, facilitating lateral movement, privilege escalation, and persistent access.

Rule Requirement

Prerequisites

Using Windows Event Viewer

  1. Log in to a domain controller with domain admin credentials.
  2. Open Group Policy Management Console (GPMC) by typing gpmc.msc in the Run dialog.
  3. Create a new GPO or edit an existing one linked to the appropriate OU.
  4. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Detailed Tracking.
  5. Right-click on Audit Process Creation and select Properties.
  6. Select Configure the following audit events, check the Success box, then click OK.
  7. Right-click on Audit Process Termination and select Properties.
  8. Select Configure the following audit events, check the Success box, then click OK.
  9. For enhanced process tracking with command line information:
    a. Navigate to Computer Configuration → Administrative Templates → System → Audit Process Creation.
    b. Double-click on Include command line in process creation events.
    c. Select Enabled and click OK.
  10. Create a new registry key "Microsoft-Windows-Security-Auditing/Operational" in the directory:
    Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\

Using Sysmon

  1. Download and install Sysmon from Microsoft Sysinternals: Sysmon Download.
  2. Open Command Prompt as administrator.
  3. Create or download a Sysmon configuration file that includes process creation monitoring.
  4. Install Sysmon using the config:
    sysmon.exe -i [configfile.xml]
  5. Ensure your config includes:
    <Sysmon>
    <EventFiltering>
    <ProcessCreate onmatch="exclude"/>
    </EventFiltering>
    </Sysmon>
  6. Create a new registry key "Microsoft-Windows-Sysmon/Operational" in the directory:
    Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\

Criteria

Action1: actionname = "Process started" AND PROCESSNAME contains "\goldenPac,\karmaSMB,\kintercept,\ntlmrelayx,\rpcdump,\samrdump,\secretsdump,\smbexec,\smbrelayx,\wmiexec,\wmipersist" OR PROCESSNAME endswith "\atexec_windows.exe,\dcomexec_windows.exe,\dpapi_windows.exe,\findDelegation_windows.exe,\GetADUsers_windows.exe,\GetNPUsers_windows.exe,\getPac_windows.exe,\getST_windows.exe,\getTGT_windows.exe,\GetUserSPNs_windows.exe,\ifmap_windows.exe,\mimikatz_windows.exe,\netview_windows.exe,\nmapAnswerMachine_windows.exe,\opdump_windows.exe,\psexec_windows.exe,\rdp_check_windows.exe,\sambaPipe_windows.exe,\smbclient_windows.exe,\smbserver_windows.exe,\sniff_windows.exe,\sniffer_windows.exe,\split_windows.exe,\ticketer_windows.exe" select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

T1557.001 – Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Security Standards

  • Disable LLMNR and NetBIOS where unnecessary
  • Block LLMNR/NetBIOS traffic and enable SMB signing
  • Use network IDS/IPS for adversary-in-the-middle (AiTM) traffic detection
  • Implement network segmentation to limit lateral movement

Author

Florian Roth (Nextron Systems)

Future actions

Known False Positives

Legitimate use of Impacket toolset by IT administrators or internal security teams

Next Steps

  • Investigate detected Impacket executions for unauthorized use
  • Confirm legitimate use by authorized personnel
  • Harden vulnerable protocols and enforce SMB signing
  • Deploy traffic filtering and enforce network segmentation
  • Ensure detailed process creation logging is in place for ongoing detection and response

Mitigation

Mitigation ID

Name

Description

M1030

Network Segmentation

Segment your network to restrict SMB and Impacket-related traffic to only necessary systems, limiting lateral movement opportunities.

M1037

Filter Network Traffic

Use host-based security to block LLMNR/NetBIOS traffic. Enabling SMB signing helps prevent relay attacks commonly leveraged by Impacket.

M1031

Network Intrusion Prevention

Deploy network intrusion detection and prevention systems to identify and block anomalies consistent with Impacket tool use.

M1042

Disable or Remove Features

Disable LLMNR and NetBIOS protocols if not required to reduce attack surface for man-in-the-middle relay attacks.

M1051

Update Software

Keep operating systems, applications, and security tools updated to reduce vulnerabilities that Impacket can exploit.

M1017

Increase Logging and Monitoring

Enable comprehensive logging of command-line activities and SMB events to detect and respond to Impacket-related malicious activity.

Awards & recognition

ManageEngine named in 2024 Gartner MQ for SIEM Gartner Peer Insights Customers' choice for SIEM

  Editor's choice  
  7th time in the MQ in 2024  
  Major player in 2024  
  Integrated cloud security Innovator  
  Technical excellence in SIEM  
  Market leader most innovative  

Gartner® Magic Quadrant™ for SIEM 2024

Features

Support

Secure your IT infrastructure with a cloud SIEM solution

Solutions by industry

Related solutions

One-stop solution to all Log Management and Active Directory Auditing

Free Trial Get Quote
Email Download Link